b'      DEPARTMENT OF HEALTH & HUMAN SERVICES                              Office of Inspector General\n\n\n                                                                         Washington, D.C. 20201\n\n\n\n\nMay 16, 2011\n\nTO:            Farzad Mostashari, M.D., Sc.M.\n               National Coordinator for Health Information Technology\n               Office of the National Coordinator for\n                Health Information Technology\n\n\nFROM:          /Daniel R. Levinson/\n               Inspector General\n\n\nSUBJECT:       Audit of Information Technology Security Included in Health Information\n               Technology Standards (A-18-09-30160)\n\n\nThe attached final report provides the results of our review of information technology security\nincluded in health information technology standards.\n\nSection 8L of the Inspector General Act, 5 U.S.C. App., requires that the Office of Inspector\nGeneral (OIG) post its publicly available reports on the OIG Web site. Accordingly, this report\nwill be posted at http://oig.hhs.gov.\n\nIf you have any questions or comments about this report, please do not hesitate to call me, or your\nstaff may contact Lori S. Pilcher, Assistant Inspector General for Grants, Internal Activities, and\nInformation Technology Audits, at (202) 619-1175 or through email at Lori.Pilcher@oig.hhs.gov.\nWe look forward to receiving your final management decision within 6 months. Please refer to\nreport number A-18-09-30160 in all correspondence.\n\n\nAttachment\n\x0cDepartment of Health & Human Services\n            OFFICE OF\n       INSPECTOR GENERAL\n\n\n\n\n        AUDIT OF\n INFORMATION TECHNOLOGY\n   SECURITY INCLUDED IN\n   HEALTH INFORMATION\n  TECHNOLOGY STANDARDS\n\n\n\n\n                   Daniel R. Levinson\n                    Inspector General\n\n                       May 2011\n                     A-18-09-30160\n\x0c                    Office of Inspector General\n                                      http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health & Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by the following operating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance of HHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments of HHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress, and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts of OI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases, OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts, and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at http://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\nBACKGROUND\n\nOffice of the National Coordinator for Health Information Technology\n\nOn April 27, 2004, Executive Order 13335 created within the Department of Health & Human\nServices (HHS) the Office of the National Coordinator for Health Information Technology\n(ONC) to lead the development and nationwide implementation of an interoperable health\ninformation technology (HIT) infrastructure. The National Coordinator for Health Information\nTechnology was charged with developing, maintaining, and directing the implementation of a\nstrategic plan to guide the nationwide implementation of interoperable HIT that will reduce\nmedical errors, improve quality, produce greater value for health care expenditures, ensure that\npatients\xe2\x80\x99 individually identifiable health information is secure and protected, and facilitate the\nwidespread adoption of electronic health records (EHR).\n\nIn 2005, ONC established the Health Information Technology Standards Panel (HITSP) as a\ncooperative partnership between the public and private sectors to harmonize and integrate\nstandards for sharing information among organizations and systems. HITSP has developed\ninteroperability specifications, which define the transactions between systems, including the\nmessage, the content, and the terminology for the information exchange. Interoperability\nspecifications also give directions to health care providers about implementing EHRs and sharing\ninformation among health organizations and systems. In developing the interoperability\nspecifications, HITSP considered overarching principles and concepts derived from an analysis\nof Federal and State laws and regulations.\n\nHealth Information Technology for Economic and Clinical Health Act\n\nThrough the Health Information Technology for Economic and Clinical Health (HITECH) Act,\nTitle XIII of the American Recovery and Reinvestment Act of 2009 (P.L. No. 111-5), Congress\nreestablished ONC by statute and directed ONC to develop a nationwide HIT infrastructure that\nallows for the electronic use and exchange of information, specifically EHRs. Important\nresponsibilities for ONC included recommending to the HHS Secretary the adoption of\nstandards, implementation specifications, and certification criteria by December 31, 2009. In\naddition, the HITECH Act requires ONC to update its strategic plan to include specific\nobjectives, milestones, and metrics with respect to, among other matters, the use of an EHR by\nevery individual in the United States by 2014; ensuring appropriate authorization and electronic\nauthentication of health information; and specifying technologies or methodologies for rendering\nhealth information unusable, unreadable, or indecipherable to unauthorized users.\n\nPrivacy and Security Protections\n\nThe responsibility to maintain the privacy and security of health information is dispersed among\nseveral Federal agencies, including three within HHS: ONC, the Centers for Medicare\n& Medicaid Services (CMS), and the Office for Civil Rights (OCR).\n\n\n\n\n                                                 i\n\x0cGeneral Information Technology Security Controls Versus Application Controls\n\nGeneral information technology (IT) security controls are the structure, policies, and procedures\nthat apply to an entity\xe2\x80\x99s overall computer operations, ensure the proper operation of information\nsystems, and create a secure environment for application systems and controls. General IT\nsecurity controls work together to ensure a secure environment for health data. Application\ncontrols, in contrast, function inside systems or applications to ensure that they work correctly.\nApplication controls may be easily bypassed if general IT security controls are missing or\nineffective.\n\nOBJECTIVE\n\nOur objective was to assess the IT security controls in HIT standards.\n\nSUMMARY OF FINDING\n\nWe found that ONC had application controls in the interoperability specifications, but there were\nno HIT standards that included general IT security controls. At the time of our audit, the\ninteroperability specifications were the ONC HIT standards and included security features\nnecessary for securely passing data between EHR systems (e.g., encrypting transmissions\nbetween EHR systems). These controls in the EHR systems were application security controls,\nnot general IT security controls.\n\nWe reviewed the Interim Final Rule for Health Information Technology: Initial Set of\nStandards, Implementation Specifications, and Certification Criteria for Electronic Health\nRecord Technology, issued in January 2010, and the Final Rule published in the Federal\nRegister in July 2010. Both documents discuss security in terms of application controls; they do\nnot contain general IT security controls. A few examples of general IT security controls\nemphasized by the Office of Management and Budget and the National Institute of Standards and\nTechnology but not addressed by ONC are:\n\n   \xe2\x80\xa2   encrypting data stored on mobile devices, such as compact disks and thumb drives;\n\n   \xe2\x80\xa2   requiring two-factor authentication when remotely accessing an HIT system; and\n\n   \xe2\x80\xa2   patching the operating systems of computer systems that process and store EHR.\n\nWe found the lack of these and other general IT security controls during prior Office of Inspector\nGeneral audits at Medicare contractors, State Medicaid agencies, and hospitals. The\nvulnerabilities that we noted, combined with our findings in this audit, raise concern about the\neffectiveness of IT security for HIT if general IT security controls are not addressed.\n\n\n\n\n                                                ii\n\x0cRECOMMENDATIONS\n\nWe recommend that ONC:\n\n   \xe2\x80\xa2   broaden its focus from interoperability specifications to include well-developed general\n       IT security controls for supporting systems, networks, and infrastructures;\n\n   \xe2\x80\xa2   use its leadership role to provide guidance to the health industry on established general IT\n       security standards and IT industry security best practices;\n\n   \xe2\x80\xa2   emphasize to the medical community the importance of general IT security; and\n\n   \xe2\x80\xa2   coordinate its work with CMS and OCR to add general IT security controls where\n       applicable.\n\nOFFICE OF THE NATIONAL COORDINATOR FOR\nHEALTH INFORMATION TECHNOLOGY COMMENTS\n\nONC concurred with our recommendations and described the actions that it was taking to\naddress them. ONC\xe2\x80\x99s comments are included in their entirety as the Appendix.\n\n\n\n\n                                                iii\n\x0c                                                  TABLE OF CONTENTS\n\n                                                                                                                                       Page\n\nINTRODUCTION....................................................................................................................... 1\n\n          BACKGROUND .............................................................................................................. 1\n              Office of the National Coordinator for Health Information Technology ............. 1\n              Health Information Technology Standards Panel ................................................. 1\n              Health Information Technology for Economic and Clinical Health Act .............. 1\n              Privacy and Security Protections .......................................................................... 2\n              General Information Technology Security Controls\n                Versus Application Controls .............................................................................. 3\n\n          OBJECTIVE, SCOPE, AND METHODOLOGY ............................................................ 3\n               Objective ............................................................................................................... 3\n               Scope ..................................................................................................................... 3\n               Methodology ......................................................................................................... 3\n\nFINDING AND RECOMMENDATIONS ................................................................................ 4\n\n          ADOPTING GENERAL INFORMATION TECHNOLOGY\n          SECURITY CONTROLS ................................................................................................. 4\n               Federal Requirements ........................................................................................... 4\n               General Information Technology Security Controls Needed ............................... 6\n\n          CONCLUSION ................................................................................................................. 9\n\n          RECOMMENDATIONS .................................................................................................. 9\n\n          OFFICE OF THE NATIONAL COORDINATOR FOR\n          HEALTH INFORMATION TECHNOLOGY COMMENTS ......................................... 9\n\nAPPENDIX\n\n          OFFICE OF THE NATIONAL COORDINATOR FOR\n          HEALTH INFORMATION TECHNOLOGY COMMENTS\n\n\n\n\n                                                                     iv\n\x0c                                     ACRONYMS\n\nCD       compact disk\nCMS      Centers for Medicare & Medicaid Services\nEHR      electronic health record\nFISCAM   Federal Information System Controls Audit Manual\nHHS      Department of Health & Human Services\nHIPAA    Health Insurance Portability and Accountability Act of 1996\nHIT      health information technology\nHITECH   Health Information Technology for Economic and Clinical Health Act\nHITSP    Health Information Technology Standards Panel\nIT       information technology\nNIST     National Institute of Standards and Technology\nOCR      Office for Civil Rights\nOIG      Office of Inspector General\nOMB      Office of Management and Budget\nONC      Office of the National Coordinator for Health Information Technology\nOS       operating system\nPHSA     Public Health Service Act\n\n\n\n\n                                         v\n\x0c                                       INTRODUCTION\n\nBACKGROUND\n\nOffice of the National Coordinator for Health Information Technology\n\nOn April 27, 2004, Executive Order 13335 created within the Department of Health & Human\nServices (HHS) the Office of the National Coordinator for Health Information Technology\n(ONC) to lead the development and nationwide implementation of an interoperable health\ninformation technology (HIT) infrastructure to improve the quality and efficiency of health care.\nThe National Coordinator for Health Information Technology (National Coordinator) was\ncharged with developing, maintaining, and directing the implementation of a strategic plan to\nguide the nationwide implementation of interoperable HIT in both the public and private health\ncare sectors that will, by 2014, reduce medical errors, improve quality, produce greater value for\nhealth care expenditures, ensure that patients\xe2\x80\x99 individually identifiable health information is\nsecure and protected, and facilitate the widespread adoption of electronic health records (EHR).\n\nHealth Information Technology Standards Panel\n\nIn 2005, ONC established the Health Information Technology Standards Panel (HITSP) as a\ncooperative partnership between the public and private sectors to harmonize and integrate\nstandards for sharing information among organizations and systems. HITSP is a\nmultistakeholder organization that has developed interoperability specifications through a\nvoluntary, consensus-based process. Interoperability specifications define the transactions\nbetween systems, including the content and the terminology for the information exchange.\nInteroperability specifications also give directions to health care providers about implementing\nEHRs and sharing information among health organizations and systems.\n\nSince 2007, HITSP has developed and refined its interoperability specifications to integrate\nalready existing and emerging standards and to align overlapping standards. In developing the\ninteroperability specifications, HITSP considered overarching principles and concepts derived\nfrom an analysis of Federal and State laws and regulations.\n\nHealth Information Technology for Economic and Clinical Health Act\n\nThe Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII\nof the American Recovery and Reinvestment Act of 2009, P.L. No. 111-5 (Recovery Act),\namended the Public Health Service Act (PHSA) to improve health care quality, safety, and\nefficiency through the promotion of HIT and the electronic exchange of health information.\n\nThrough HITECH, Congress reestablished ONC by statute and directed ONC to develop a\nnationwide HIT infrastructure that allows for the electronic use and exchange of information,\nspecifically EHRs. Important responsibilities for ONC included recommending to the HHS\nSecretary the adoption of standards, implementation specifications, and certification criteria by\nDecember 31, 2009. In addition, HITECH requires ONC to update its strategic plan to include\nspecific objectives, milestones, and metrics with respect to, among other matters, the use of an\n\n                                                 1\n\x0cEHR by every individual in the United States by 2014; ensuring appropriate authorization and\nelectronic authentication of health information; and specifying technologies or methodologies for\nrendering health information unusable, unreadable, or indecipherable to unauthorized users.\nHITECH permits ONC to recommend and the HHS Secretary to apply the standards developed\nby HITSP before the law\xe2\x80\x99s enactment.\n\nTo facilitate the development and adoption of an HIT infrastructure and standards, HITECH\ncreated two committees: the HIT Policy committee and the HIT Standards committee. The\nNational Coordinator is a leading member of both committees. The Policy committee makes\npolicy recommendations to the National Coordinator relating to the implementation of a\nnationwide HIT infrastructure. The Standards committee recommends to the National\nCoordinator standards, implementation specifications, and certification criteria for the electronic\nexchange and use of health information.\n\nPrivacy and Security Protections\n\nThe responsibility to maintain the privacy and security of health information is dispersed among\nseveral Federal agencies, including three entities within HHS.\n\nOffice of the National Coordinator\n\nSection 13101 of HITECH (PHSA \xc2\xa7\xc2\xa7 3001(b)(1), 3001(c)(3)(A), and 3002(b)(2)(B), as\namended) states that ONC and its committees must develop standards and a framework for the\nprotection and security of health information being exchanged through a nationwide health\ninformation network. ONC published an Interim Final Rule (75 Fed. Reg. 2013 (2010))\ncontaining the initial set of standards. ONC finalized the rule, which contains provisions that\naddress privacy and security protection (75 Fed. Reg. 44590 (2010)).\n\nCenters for Medicare & Medicaid Services\n\nPursuant to Title IV of the Recovery Act, which authorizes Medicare and Medicaid incentive\npayments to eligible professionals and hospitals for the meaningful use of EHR technology, the\nCenters for Medicare & Medicaid Services (CMS) promulgated its Final Rule defining\n\xe2\x80\x9cmeaningful use\xe2\x80\x9d (75 Fed. Reg. 44313 (2010)). This definition includes the protection of health\ndata and requires that eligible professionals and hospitals conduct a risk analysis of their EHR\nsystems and implement updates to address identified vulnerabilities.\n\nOffice for Civil Rights\n\nThe Office for Civil Rights (OCR) oversees compliance with the Privacy and Security Rules of\nthe Health Insurance Portability and Accountability Act of 1996 (HIPAA). On September 23,\n2009, OCR\xe2\x80\x99s Interim Final Rule (74 Fed. Reg. 42740 (2009)) for breach notifications of\nunsecured sensitive information became effective. Pursuant to HITECH, the Interim Final Rule\nestablished regulations requiring covered entities to notify affected individuals, the media, and\nthe HHS Secretary following a breach of their protected health information.\n\n\n\n                                                 2\n\x0cGeneral Information Technology Security Controls Versus Application Controls\n\nGeneral information technology (IT) security controls are the structure, policies, and procedures\nthat apply to an entity\xe2\x80\x99s overall computer operations, ensure the proper operation of information\nsystems, and create a secure environment for application systems and controls. Some primary\nobjectives of general IT security controls are to protect networks, computer systems, and data.\nGeneral IT security controls work together to ensure a secure environment for health data.\n\nApplication controls, in contrast, function inside systems or applications to ensure that they work\ncorrectly. Application controls may be easily bypassed if general IT security controls are\nmissing or ineffective.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nOur objective was to assess the IT security controls in HIT standards.\n\nScope\n\nWe assessed ONC\xe2\x80\x99s process for creating and adopting interoperability specifications as of\nApril 2009. We also reviewed the Interim Final Rule for Health Information Technology: Initial\nSet of Standards, Implementation Specifications, and Certification Criteria for Electronic Health\nRecord Technology, issued in January 2010, and the Final Rule published in the Federal\nRegister in July 2010. We did not review ONC\xe2\x80\x99s overall internal control structure.\n\nWe performed our fieldwork at ONC headquarters in Washington, DC, from June through\nAugust 2009 and from February through August 2010. After the end of our initial fieldwork in\n2009, ONC management provided additional information to demonstrate the steps that ONC had\ntaken to address the security of sensitive information.\n\nMethodology\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2    reviewed applicable Federal laws, regulations, and guidance from the Office of\n        Management and Budget (OMB) and the National Institute of Standards and Technology\n        (NIST);\n\n   \xe2\x80\xa2    interviewed ONC staff; and\n\n   \xe2\x80\xa2    reviewed supporting documentation.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\n\n                                                 3\n\x0cbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our finding and conclusion based on our audit objective.\n\n                          FINDING AND RECOMMENDATIONS\n\nWe found that ONC had application controls in the interoperability specifications, but there were\nno HIT standards that included general IT security controls. At the time of our audit, the\ninteroperability specifications were the ONC HIT standards and included security features\nnecessary for securely passing data between EHR systems (e.g., encrypting transmissions\nbetween EHR systems). These controls in the EHR systems were application security controls,\nnot general IT security controls.\n\nWe reviewed the Interim Final Rule issued in January 2010 and the Final Rule published in the\nFederal Register in July 2010. Both documents discuss security in terms of application controls;\nthey do not contain general IT security controls. A few examples of general IT security controls\nemphasized by OMB and NIST but not addressed by ONC are:\n\n   \xe2\x80\xa2   encrypting data stored on mobile devices, such as compact disks (CD) and thumb drives;\n\n   \xe2\x80\xa2   requiring two-factor authentication when remotely accessing an HIT system; and\n\n   \xe2\x80\xa2   patching the operating systems (OS) of computer systems that process and store EHR.\n\nWe found the lack of these and other general IT security controls during prior Office of Inspector\nGeneral (OIG) IT audits at Medicare contractors, State Medicaid agencies, and hospitals. The\nvulnerabilities that we noted, combined with our findings in this audit, raise concern about the\neffectiveness of IT security for HIT if general IT security controls are not addressed.\n\nADOPTING GENERAL INFORMATION TECHNOLOGY\nSECURITY CONTROLS\n\nFederal Requirements\n\nWe identified the following Federal security standards for the protection of Federal data as\nreasonable benchmarks to assess the adequacy of the general IT security controls established for\nEHRs.\n\nRecovery Act\n\nThe Recovery Act added section 3001 of the PHSA, which states that the National Coordinator\n\xe2\x80\x9cshall perform [his or her] duties \xe2\x80\xa6 in a manner consistent with the development of a nationwide\nhealth information technology infrastructure that allows for the electronic use and exchange of\ninformation that \xe2\x80\x93 (1) ensures that each patient\xe2\x80\x99s health information is secure and protected, in\naccordance with applicable law.\xe2\x80\x9d The Recovery Act states that the National Coordinator should,\nin consultation with appropriate Federal agencies, update the Federal Health IT Strategic Plan to\ninclude specific objectives, milestones, and metrics. The update should:\n\n                                                4\n\x0c      \xe2\x80\xa2    include the \xe2\x80\x9cincorporation of privacy and security protections for the electronic exchange\n           of individually identifiable health information\xe2\x80\x9d and\n\n      \xe2\x80\xa2    use \xe2\x80\x9csecurity methods to ensure appropriate authorization and electronic authentication of\n           health information and specifying technologies or methodologies for rendering health\n           information unusable, unreadable, or indecipherable\xe2\x80\x9d to unauthorized users\n           (section 3001(c)(3)(A)).\n\nOffice of Management and Budget\n\nIn OMB Memorandum M-06-16, \xe2\x80\x9cProtection of Sensitive Agency Information,\xe2\x80\x9d OMB\nrecommends:\n\n      \xe2\x80\xa2    encrypting \xe2\x80\x9call data on mobile computers/devices which carry agency data unless the data\n           is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual\n           he/she may designate in writing\xe2\x80\x9d and\n\n      \xe2\x80\xa2    allowing \xe2\x80\x9cremote access only with two-factor authentication where one of the factors is\n           provided by a device separate from the computer gaining access.\xe2\x80\x9d\n\nNational Institute of Standards and Technology Special Publication 800-40\n\nNIST Special Publication 800-40, revision 2, Creating a Patch and Vulnerability Management\nProgram, states that:\n\n           Patch and vulnerability management is a security practice designed to proactively\n           prevent the exploitation of IT vulnerabilities that exist within an organization\xe2\x80\xa6.\n           Timely patching of security issues is generally recognized as critical to\n           maintaining the operational availability, confidentiality, and integrity of IT\n           systems\xe2\x80\xa6. Most major attacks in the past few years have targeted known\n           vulnerabilities for which patches existed before the outbreaks [Executive\n           Summary, November 2005].\n\nFederal Information System Controls Audit Manual\n\nThe Federal Information System Controls Audit Manual (FISCAM) states that general IT\nsecurity controls are the structure, policies, and procedures that apply to an entity\xe2\x80\x99s overall\ncomputer operations, ensure the proper operation of information systems, and create the\nenvironment for application systems and controls. General controls protect networks, safeguard\ndata, and prevent unauthorized access to software. The effectiveness of general controls is a\nsignificant factor in determining the effectiveness of application controls. Without effective\ngeneral controls, application controls \xe2\x80\x9ccan generally be rendered ineffective by circumvention or\nmodification.\xe2\x80\x9d 1\n\n1\n    Government Accountability Office, FISCAM, section 1.2, February 2009.\n\n\n                                                        5\n\x0cGeneral Information Technology Security Controls Needed\n\nHealth Information Technology Standards\n\nONC did not have HIT standards that included general IT security controls. A few examples of\ngeneral IT security controls are encrypting data stored on mobile devices, using two-factor\nauthentication, and updating (patching) the OSs that process and store sensitive health-related\ninformation. For example:\n\n    \xe2\x80\xa2   Encryption is required by ONC interoperability specifications for data transmission\n        between systems. However, encrypting data stored on portable media is not included in a\n        standard, creating a potential vulnerability if unprotected HIT data were copied to\n        portable media, such as a CD or flash drive, and transported to another location.\n        Encrypting data stored on portable media is not included in any HIT standard.\n\n    \xe2\x80\xa2   Two-factor authentication is not required by the HIT standards. Two-factor\n        authentication is a security process in which the user provides two means of\n        identification. Typically, this requires a physical token, such as a card, and something\n        memorized, such as a security code (i.e., \xe2\x80\x9csomething you have and something you\n        know\xe2\x80\x9d).\n\n    \xe2\x80\xa2   Patching computer systems, which includes timely security updates and enhancements to\n        protect IT systems from viruses, malware, and other attacks, is not required by the HIT\n        standards.\n\nLack of any of these or other IT security controls can expose HIT systems to a host of problems.\nEach year, Cisco Systems issues a security report that encompasses threat information, trends,\nand a snapshot of the state of IT security. The Cisco 2009 Annual Security Report stressed the\nimportance of patching computer systems, our third example, by stating:\n\n        Conficker, the big botnet 2 of 2009, gained traction because computer users failed\n        to download a patch that was readily available from Microsoft. Although most of\n        today\xe2\x80\x99s attacks are launched via social media networks, criminals still look for\n        ways to exploit these old-style vulnerabilities.\n\nWe found these three vulnerabilities, as well as many others, during OIG IT audits at Medicare\ncontractors, State Medicaid agencies, and hospitals.\n\n\n\n\n2\n A botnet is a large group of computers taken over by a hacker and frequently used without the computer owners\xe2\x80\x99\nknowledge.\n\n\n                                                        6\n\x0cInteroperability Specifications\n\nInteroperability specifications do not address general IT security controls recommended by NIST\nand best practices. For example, interoperability specifications do not address controls on the\nnetworks that the EHR applications use. Dr. John Halamka, chairman of HITSP and\nvice-chairman of the Standards Committee, stated that security is broader than just EHR\ninteroperability standards and EHR applications:\n\n           Security is not just about using the right standards or purchasing products\n           that implement those standards. It\xe2\x80\x99s also about the infrastructure on which\n           those products run and the policies that define how they\xe2\x80\x99ll be used. A great\n           software system that supports role-based security is not so useful if everyone is\n           assigned the same role and its accompanying access permissions. Similarly,\n           running great software on an open wireless network could compromise privacy.\xe2\x80\xa6\n           Security is a process, not a product. Hackers are innovative, and security\n           practices need to be constantly enhanced to protect confidentiality. Security is\n           also a balance between ease of use and absolute protection. The most secure\n           library in the world\xe2\x80\x94and the most useless\xe2\x80\x94would be one that never loaned out\n           any books.\xe2\x80\xa6 Security is an end-to-end process. The health care ecosystem is\n           as vulnerable as its weakest link. Thus, each application, workstation, network\n           and server within an enterprise must be secured to a reasonable extent. The\n           exchange of health care information between enterprises cannot be secured if the\n           enterprises themselves are not secure. 3 [Emphasis in the original.]\n\nHealth Information Technology Standards Panel\xe2\x80\x99s Focus\n\nHITSP itself has said that it did not intend to resolve privacy or security policy issues in its\nstandards-making process:\n\n           The HITSP SPI-TC 4 designed the constructs described in this Technical Note to\n           support a wide variety of security and privacy policies and technical\n           frameworks\xe2\x80\xa6. HITSP has not attempted to resolve privacy or security policy\n           issues, risk management, healthcare application functionality, operating systems\n           functionality, physical control specifications, or other low-level specifications\xe2\x80\xa6.\n           [Emphasis in the original.] 5\n\nAt the time of our review, the meeting transcripts and reports from the Standards committee and\nits Security subcommittee showed recommendations for encrypting data on portable devices but\nno recommendations relating to two-factor authentication, system patching, or any other general\nIT security issues. At the end of our audit period, the Standards committee had not acted on\nencrypting data on portable devices.\n\n3\n    John Halamka, \xe2\x80\x9cOpinion: E-health security requires a delicate balance,\xe2\x80\x9d ComputerWorld, p. 34, October 5, 2009.\n4\n    Security, Privacy, and Infrastructure Domain Technical Committee.\n5\n    HITSP, Security and Privacy Technical Note, TN 900, section 1.1.1, October 2007, revised July 2009.\n\n                                                          7\n\x0cAdditional Office of the National Coordinator Documentation\n\nAfter the end of our fieldwork, ONC gave us documents to show its position on general IT\nsecurity:\n\n   \xe2\x80\xa2   Four documents, published after our initial fieldwork, related to EHR system\n       certification.\n\n   \xe2\x80\xa2   One document, from OCR and published after our initial fieldwork, was on breach\n       notification and the way in which the use of encryption would negate the need for\n       notification. ONC told us that this would encourage the use of encryption.\n\n   \xe2\x80\xa2   ONC provided documentation on three grants that it had funded. We found that two of\n       the grants (posted after our fieldwork) might have enhanced general IT controls because\n       they discussed general IT security, but they did not address the specific conditions found\n       in this report even though the tasks in the two grants included those conditions:\n\n          o One grant will establish the Strategic Health IT Advanced Research Projects\n            program, which will fund research that focuses on identifying technology\n            solutions to problems impeding broad adoption of HIT, including HIT security.\n\n          o Another grant will establish at least 70 Regional Extension Centers and a national\n            HIT Research Center to offer technical assistance, guidance, and information on\n            best practices, including those on IT security issues, to support and accelerate\n            health care providers\xe2\x80\x99 efforts to become meaningful users of EHRs.\n\n   \xe2\x80\xa2   Three documents related to HIPAA security: one was from NIST and two were from\n       CMS. ONC management told us that it relies on the HIPAA Security Rule to ensure that\n       appropriate IT security controls are in place.\n\nPrior Office of Inspector General Work and the\nHealth Insurance Portability and Accountability Act of 1996\n\nOur concern with the effectiveness of the HIPAA Security Rule is based on work that we did on\nCMS\xe2\x80\x99s oversight of covered entity compliance with HIPAA and the significant weaknesses we\nfound in IT security at eight hospitals. Examples of the weaknesses identified at the eight\nhospitals included:\n\n   \xe2\x80\xa2   unprotected wireless networks,\n\n   \xe2\x80\xa2   lack of vendor support for OSs,\n\n   \xe2\x80\xa2   inadequate system patching,\n\n   \xe2\x80\xa2   outdated or missing antivirus software,\n\n\n                                                 8\n\x0c   \xe2\x80\xa2   lack of encryption of data on portable devices and media,\n\n   \xe2\x80\xa2   lack of system event logging or review,\n\n   \xe2\x80\xa2   shared user accounts, and\n\n   \xe2\x80\xa2   excessive user access and administrative rights.\n\nOur experience with HIPAA implementation in hospitals does not support ONC\xe2\x80\x99s position that\nHIPAA provides adequate general IT security. We also have similar findings in Medicare and\nMedicaid audits.\n\nCONCLUSION\n\nWe found that the interoperability specifications, the Interim Final Rule, and the Final Rule did\ninclude some security features necessary for securely passing data between systems. However,\nONC did not have standards that included general IT security controls, which need to be\naddressed to ensure a secure environment for health data.\n\nIn addition, ONC deferred at this time to the HIPAA Security Rule for addressing IT security for\nHIT. Our HIPAA reviews identified vulnerabilities in the HHS oversight function and the\ngeneral IT security controls. Those vulnerabilities in hospitals, Medicare contractors, and State\nagencies, combined with our findings in this audit, raise concern about the effectiveness of IT\nsecurity for HIT if general IT security controls are not addressed by ONC.\n\nRECOMMENDATIONS\n\nWe recommend that ONC:\n\n   \xe2\x80\xa2   broaden its focus from interoperability specifications to include well-developed general\n       IT security controls for supporting systems, networks, and infrastructures;\n\n   \xe2\x80\xa2   use its leadership role to provide guidance to the health industry on established general IT\n       security standards and IT industry security best practices;\n\n   \xe2\x80\xa2   emphasize to the medical community the importance of general IT security; and\n\n   \xe2\x80\xa2   coordinate its work with CMS and OCR to add general IT security controls where\n       applicable.\n\nOFFICE OF THE NATIONAL COORDINATOR FOR\nHEALTH INFORMATION TECHNOLOGY COMMENTS\n\nONC concurred with our recommendations. ONC\xe2\x80\x99s comments are included in their entirety as\nthe Appendix.\n\n\n\n                                                 9\n\x0cAPPENDIX\n\x0c                                                                                                                               Page 1 of5\n\n\nAPPENDIX: OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH \n\n           INFORMATION TECHNOLOGY COMMENTS \n\n\n\n\n\n        DEPARTMENT OF HEALTH & HUMAN SERVICES\n                                                                                                         Officc Df!be N. ,,,,..I CoonIi.... or\n                                                                                                         for Health Informalion T\xc2\xabhIlCIDV\n                                                                                                         W..h,"aton, D.C. 20201\n\n\n      DATE:           Man:h 23, 20] I\n\n      TO:            Daniel R. Levinson\n                     Inspector General\n\n      FROM:          David Blumenthal\n                     N.tiolWll CoordiMtor for Health Information Technology\n\n      SUBJECT:       Office of Inspector General Draft Report: "Audit oflnformation Teclmology Sec..mty\n                     Included in Health Information Technology Standards (A-18.Q9-30160)\n\n     Thank you for the OppOrtunity to review and comment on the above rcferm.ud Office Qflnspector Gencrlli\n     (OIG) draft report. The Office: of the National Coordin.o.tor for Health Infonnation Tcchnology (ONC)\n     appre<:iatcs me effort and rcsOUl\'CeS DIG has invested to re5Cuch and report on ONe\'s activilies reLated!O\n     Health Information Technology (health 11) standard$.\n\n     ONe recognizes the crucial role of bcalth IT se<:urity in maintaining the public\'s trust in health IT and\n     bealth information exchange. In its carly stage!, ONe cOJlUllctcd with the Health Information Technology\n     Standards Panel (HITSP) as an ANS I-accredited body to $elect and harmonize beahhcare data slandards\n     that are foundational to the interopernbility use cases identified by !he American Health InfolIllIuion\n     Conununity (AHIC), a Fe deral Advisory Committee Act Conun inee (FACA). Uoder contract willi ONC\n     from 2005lbrough 2010, HITSP establislled a Security and Privacy Technical Commiuee, which identified\n     and recommended security standards lIIat Cllt across all AHIC\'. IISC cases. These sUlndards were\n     referenced in published interoperability specifications. Beginning in January 2008, the HHS Secretary\n     o fficially rerognized a number of HITSP-produced interopCfll.bility specifications as HHS policy.\' The\n     first sct ofHITSP interoperBbility speciflC&tions incorporated security features sucb as trlInSmission\n     encryption, audit loggi ng, e ntity 1llI1IIentication, digital signatures, access controls, and rights management.\n     These standards were also inCOIpOTated into !be certification process fonnerly managed b y !be Certification\n     Commission for Health IT (COlin. An open source health information ~change product, CONNECT,\n     developed by a 29-agency cooperative agreement (the Fe deral Health Arehitcc!\\Jft\') LnoolpOrates these\n     recogoized standards.\n\n     The focus ofstaodards activity shifted with the enactment of the Health Information Technology for\n     Economic and Clinical Health (H1TECH) Act, which created a framework for providing Medicare and\n     Medicaid incentive payme nts for the me aningful use of certified electronic health record (EH R)\n     technology. HITEOI aiso established the Health IT Policy Comminee (HJTPC) and the Health IT\n     Standards Committee (HITSC), AHIC\'s SllCCessors. Uoder HITECH and with a new FACA panel in place,\n     the methodology and scope ofONC \'s .\'<Ccurity standards activities evolved from a trlInS3Ction-level\n     approach 10 a proliuct-orienled approach consistent with the statutory mandate lIIat ONC certify health IT,\n     inchlding EHR technology. The HHS Centers for Medicare and Medicaid (CMS) EHR Incentive Programs\n     provide incentive payments to eligible health care providers panicipating in these programs only when !hey\n     adopt unified EHR technology and use it to achieve meaningful use.\n\n     The HJTSC Privacy and Security Working Group formulated its standards recommendations UlIing the\n     HITSP standards as its basis. Considering the $CCWity standards recommendations from the HITSC, and\n\n     , UndeT Executive Order 134]0, recognition is !he process by which standards are required to be\n     incorporated in all new or significantly upgraded Federal information systems.\n\x0c                                                                                                                     Page 2 of5\n\n\n\n\nafter analyzing e.>:tell$ive public comment on ONC\'s Intcrim FiDa l Rule, ONC publisbed the Health\nlnfnrmation Technology: Initial Set ofSlanlbrds, Implementation Spoci ficatioll$, and Certification Crileria\nfor Electronic Health RC(:ord Tc(:Mology Final Rule on Jul y 28, 2010, simultaneously with CMS\'s final\nru le on the Medicare and Medicaid ERR lneentive Program. The certification criteria in ONC \'s Final Rule\nincluded requirements and standards that EHR technology support important gencntl IT security control\ncapabilities: encryption of electronic Protected Health Information (ePHI) at rest and in motion; access\ncontro ls to prevent unauthorized viewing Or use of ePHI ; and message integrity chc:cl<ing. These\nrequirements an:: intended to allow bealth IT adoptCfS 10 achieve meaningful usc objC(:tivc 14: " Protect\nelectronic bealth information created or maintained by the certified EHR tcc hnology through the\nimplementation of appropriate ICchnica l capabilities." The measurement criterion for this objective\nrequires adopters to \'\'Conduct or review a SC(:uri ty risk analysis in accordance with the requirements under\n45 CFR 164.308(a)( l ) and implement security updates as lIC(;esSIl)\' and correct identi fied security\ndeficiencies IS part of its risk management process") , adopting a well-tecognized risk based approach to\nmanaging security. Consequently, the meaningfu l use Stage I rule specifically requires bealth IT adopters\nto identify and correct any security deficieJICies. "There an:: a number of general health IT standards,\nincluding the Security Rule of the Health Insurance Ponability and Accountability Act (HIPAA), as weil l\\!!\nfederal sC(:urity frameworks which havc served as best practices for the general public, including those\ndeveloped by the National lllStiNIC for Standards and Technology (NIS1), that are available for use in\nassessing and correcting s\\JCh security deficiencies.\n\nONC \'s primary mission is to promote thc adoption of health IT in support of improved heaJtbcare: better\noutcomes, fewer errors, less cos\\. ConseqUClltly, in the early stages ofadoptioo effor\\>; under HITECH,\nONe has wo.ted to strike the right ba lance between ensuring the security ofllealth information among new\nadopters while not creating such an onerous burden oftcchnical requirements that the primary adoption\ngoal would fa il to be achieved. By the end of the IIITECIl-related wave of health IT implementations in\n20 15, ONC expects to have a well developed set of certification criteria thaI, coupled with practices\ninitiated WIder the CMS meaningful use rule. will form a strong security framework for the use and\ncxcbange of electronic health information.\n\nAdoption is not the whole story, however. There are many health IT users who are not eligible for\nMeaningful Use incent ives. But unless the entire bealth IT ecosystem panicipate5 in good security\npractices, the well secW"C could face risk from the less secure. Therefore, ONC addresses security and\ncybersecurity at the enterprise leve l, with a strategic plan that considen all components oftbe ~ater world\nof heahh IT. HlTECH required ONC to revise and update its Federal Health IT SltlItegic Plan. A key\neienx:nt of that plan is heallh IT security. ONe\'s Office of the Chief Privacy Officer is in the fmal stages\nof drafting a comprebell.\'livc security strategic plan that details its plans in this regard. ONC agrees wi th the\nsentiment expressed by HITSC vice-<:hairman John Halamka: "security is an end-to-end process.." We\nsupport the visioo of enterprise -class health IT security and have taken clear steps to bring this vision to\nliuitioll. It is a task neither fast nor casy, but it is one to which ONC remaill.\'l fully committed.\n\nTecb niul Comments\n\nPal1;e 2 (DITECH, flnal parauapb)\n      \'"ONe published an Interim Final Rule (75 Fed. Reg. 20 13 (2010)) containing the initial set of\n          standards, which SupelSCded the interoperability speo.;ifications adopted before HITECH\'s\n          enactment."\n\n    This statement is inaccurate. The standards adopted in ONC\'slFR did not supersede the\n        interopeTllbility specificatioll$ adopted prior to the HITECH Act. We recommend a period be\n        added to this sentence after \xc2\xb7\'standards" and the rest of the language deleted.\n\n    Page 2, last sentence iDaccurately describes the breach notifi~tion rule. We recommend that it be\n        rewritten to read as follows:\n    Pursuant to HITECH, the InlCrim Final Rule established regulations requiring covcmd entitics to notify\n        affC(:ted individuals, the media, and the HH S Secretary following a breach of theiTprotected bealth\n        infollllltion.\n\n\n\n                                                                                                                2\n\x0c                                                                                                                   Page 3 of5\n\n\n\n\nO IC Reco m llltDda tion I\n\n[ONC should] broaden its focus from interopetability spec ifications to also include   ~ll-developed    general\nIT security controls for supporting s)\'S tems, networks, and infrastructure.\n\nONCRWlOUH I\n\nONC eOTlCW"S with OIG tbat "general IT security controls" serve an important PW]XISC and are necessary to\ne nsllfC the overa ll protection of the confidentia li ty, integrity, and availabili ty ofhealth information. As\nO IG notes o n page 2 of the dra ft rcpon , the Office for Civil Rig hts (OCR) is fCSJIOIlSible for regulating\ncovered entities and their compliance with the Health Insurance Portability and Accountability Act\n(H IPAA) Security Rul e. However, in aceordancc with its mission, ONC bas been (and will continue 10 be)\nproactive in he lping p roviders safeguard the privacy and security ofpcrsonal health information.\n\nONC has used iL~ authority to rcguLstc the certification criteria and standards for certified health\ninformation tec:hnology 10 ensure the avai labi lity of application security controls. ONC will worlc. with the\nFACAs established under the HITECH Act to actively explore the l\'ea$ibility of adding general IT sOClUity\ncontrols, such as encryption of portable media and two-factor a uthenticatio n, to the certi fication criteria.\n\nIn addition, ONC has developed training and tools, such as the Privacy and Security Framework Toolkit\nthat ONC launched in 2008, and more recently tools and materials streamed OIIt through ONC\'s 62\nRegional Extension Centers who are engaged in !\\Ctive outreach to healtbcare providers. These materials\ninc lude security awareness literature (and soon, a security awarelle5!l video), a detailed checkl ist covering\nall 10 security domains, and an automated risk analysis tool. Funded products now in development for the\nREClI inc ludc a security capability assessment. incident response planning and training, and continu ity of\nopcratioDll training. For health information exchanges (HIEs), ONC is developing an enlCTprisc-class\nresi liency p lan based on a d eep analysis o f the health information e xchange landscape and its risb and\nvulnerabilit ies. Tbe above a~tivit ies arc the core eleme nts ofONC\'s shon-rerm security s trategy, e ffective\nSeptembeT 2010, with goals to lIIIdress the pressing security issues re lated to rapid health IT and HIE\nadoption.\n\nONC bas worked closely with OCR, which has the authority 10 estab lish gcnc:ral lT security standards\nthrough the HIP AA Security Rule, on a number ofgeneral IT security issues, including the development of\nsecurity guidance On how to render protec ted health information (PHI ) unIL<;able, unreadable, and\nindecipherable for the purposes of the DeW breach notification provisions included in the HITECH Act. To\nthis day, ONC continues to work with OCR and NIST on this efTon .\n\nONe wi ll continue to f""us on broad health IT security issues and is currentl y working to identify\nremaining gaps when:, within ilS miSSioDand scope o frcsponsibility, it ean address seeurity across the\nhealth IT enterprise with tools, techniques, research, rccommcoo.tions and, where appropriate and within\nits .",thority, regu la tion.\n\nQIG ReCOmmendation II\n\n[ONe should] use its le adership role to provide guidance 10 the health industry on established general IT\nsecwity standards and IT industry sec urity best practices\n\nONe ReSPOnse II\n\nONe concurs with OIG 00 the importance o f disseminating sec:urity princip les and practicc! as they apply\nto health IT. As part ofONC\'s efforts to work with FACAs and relevant Federal partners to bolster\nsecurity eootrol" will continue to issue recommendations and guidance to the health industry o n health IT\nsecurity best practices.\n\n\n\n\n                                                                                                               J\n\x0c                                                                                                                 Page40fS\n\n\n\n\nAs described above. ONC has taken a leadcr!!hip role in promoting health IT s\xc2\xaburity controls through its\neducatioll and ouln:ach activities. In additioll, ONe has provided (and will cOlltinue to provide) practical,\nhands-on security management assistance through the Regional ~tellSion Centers. In addition, ONC\nparticipates wide ly in public outreach programs through !<pCaking engagements, conferences, and\nworkshops. ONC cootinues to sponsor health imormation exchange technology, s uch as the Direct project\nand NwHIN, both of which have developed strong security protections around health infonnation\nexchange. In FY 2010, ONC leadcnllip and s taifpanicipaled in approximately 20 security and privacy\nrelated public engagements, induding the Health Information and Management SystCUl.\'l Society, HIPAA\nSummit, HIPAA Summit West, RSA, Symantec Govenunent Security, Sman Cards in Government,\nInternational A!.soI;iation ofPrivacyProfessionais, Information Systems Security Association, lnformation\nSysteUl.\'l Audit and Contro l Association, and other!!.\n\nOIG Rccom,mcodatjQQ 1II\n\n[ONe should] e mphasize to the mediCliI community the importance of general IT security\n\nONe Resl!OllK III\n\nONC concurs with O IG that it is vitally important to promote awareness of general IT security within the\nmedical community. ONC has bun active in reaching OIlttO individual providen througb the Regional\nExtension Centers, Beacon Communities, Health Information Exchanges, each of which operates a Privacy\nand Security Community of Practice, and through SHARP security research activities which rellCh the\nacademic medical community. ONe has also ensured the inclusion of security and privacy education in\nhea lth IT curricula developed underONC grants. In fiscal year 20] I, in collaboration with OCR, ONC will\nlaunch a Sccurity/Cybcrsccuritycommunications campaign to ra ise awareness of and adherence 10 high\xc2\xad\nquality health IT security practices.\n\nOIG RecQ!!II!!endatiQQ IY\n\n[ONe should] coordilwue its work with CMS and OCR tQ add general IT security contro ls where\napplicable.\n\nONe Response IV\n\nONC concUJ$ with OIG\'s finding that coordinatioD among ONe, CMS, and OCR is crucial to promotiDg\nthe adoptioD of general IT security controls for health IT. ONC has coUaborated extCItsively with CMS\nthroughout Stage I of Meaningful Use. The next two Stages ofmcaningfil l usc and launching of the\ncommunications p rogram mentioned above will provide additional opponunities for ONe to collaborate\nwith its panners, inc luding eMS and OCR, on bow best to raise the overall level Qfhealth IT security with\ncertification criteria and implementatiQn incentives.\n\nONe is engaged in on-going collaboration with OCR, fQr example by providing technical researcb and\nrecommendatiQns on emerging security technologies and tec hniques, which OCR has used to infonn its\nru lemaking and guidance. In tum, OCR has collaborated with ONe by provid ing input 10 ONC security\nand cybcrsecurity programs and products tQ insure that our effQrts on security are s ynergistic and non\xc2\xad\ndupliutive.\n\nCQnc lu.~iQn\n\n\nONC has an extensive pomol io ofinitiativcs (that are completed, in process, Qr in the planning and\nfonnulation stages) that seek to prQmote increased security and the public \'s Imst in health IT technology\nand elocU"Oflic health information exchange. In the interest Qfbrevity, we have not detailed all of ONe\'s\ninitiatives in Qur COl1UllCnts to this O IG report.\n\nONe thanks O IG for its efforts on this rcport and fQr addressing areas of future growth for ONe\'s security\np rogram. We look forward to continuing to work with OIG to assess and strengthen the u.nderlying trust\n\n\n\n                                                                                                             ,\n\x0c                                                                                                         Page 5 of5\n\n\n\n\nfabric without which our ml!<&on 10 Improve hcahhcan:: through widespread adoption and meaningful usc\nof health IT could be at risk\n\n\n\n\n                                                                                                        ,\n\n\x0c'